This is a preemptive plea for people who last wrote PHP in 2012 not to opine on what writing PHP is like in 2025. It is not a hammer with two claws. It’s a modern language with types and tooling and package management.
I've certainly seem some lovely PHP code. Even phpBB has been very clean for a long time.
But at the same time, you run into the same problems that you often see with C++. Yes, there's a clean, semi-modern dialect of the language that has 80% of what you'd ideally want. And 80% is often more than enough for practical engineering purposes. But the actual project you get hired to work on may not be written in that cleaner, modern dialect. The last C++ project I cracked open had gone almost 20 years since its last serious update. It wasn't terrible. But wow, did it take a lot of very tricky code to accomplish anything before boost and TR1 became popular.
And old PHP was one of the worst languages ever invented: the core C code was hopelessly insecure (I had to read it for a client during the dotcom boom), the database APIs were different for every single database (and all of them made SQL injection techniques too easy), the default configuration allowed hostile users to inject global variable values using CGI parameters, and I could go on for a week. Yes, I saw some ugly stuff in other languages during the dotcom boom. But ancient PHP was often on a whole other level.
And when a language's history includes that much ugliness, you need to be very careful about old production code bases. Maybe you get a nice Symfony app! Buy maybe you get mixed HTML/PHP/SQL with a hundred security holes inherent in the APIs being used.
Not to mention, the people who've been writing code in 2012 are still writing PHP code like it's 2012, and plenty of people are learning to write PHP the same way.
I haven't seen too many PHP codebases in the past decade, but every one has been full of a mix of commits that are beautiful, clean, functional code... and just the worst mishmash of garbage I've ever seen.
PHP might be fine, but I'm still not sure if I'm ready to work with other PHP developers.
PHP got a lot better. Their types are actually awesome and better than average. The problems are now about the developers more than the language. Legacy PHP is the majority of PHP and it'll still make you go insane since you'll have to deal with that awful, ugly code someone wrote in the Summer of 2004 when they were an intern that is now core to a business. The people that have been writing PHP and only PHP for two decades also don't usually have great patterns they follow, so when you step into their code base, there's hell to experience.
Had this at my last job where I wrote PHP full time for two years. There were so many bugs caused by things that PHP has since remedied. I updated everything we could and it was huge step up (the available linting and static analysis tools are very solid), but there's still some deep, dark legacy code there that no one wanted to touch. Hell, a good part of my problem with that code base was actually because of Apache and mod_php.
If you have a fresh PHP code base, it's not that bad anymore. It wouldn't be my first pick, but definitely not my last.
Edit: I never got to work with Laravel, but I've played around independently and read their docs and it seems like a good dev experience.
The developers come in all flavors, too. I spend my time writing Drupal code and the average quality is fairly high. (Code quality in the Drupal project itself has always been high, in fact, even when PHP was a disaster on wheels.) So it depends on what those people writing PHP for two decades have been working on.
They have, in fact, been willing to break backwards compatibility when it matters. mysql_real_escape_string(), for example, my personal favorite bugaboo from the early days, was removed in 2015.
I have recently had to delve in PHP and it was much better and more mature than what people painted it to be 10+ years ago.
A night and day difference.
Jira gave me the same experience. I hated it remembering the 2020 times, yet going back to it now...I actually liked it way more than the alternatives.
Working with Drupal as a user is not the same as working as a Drupal developer. If you know Drupal well enough that you’re not flailing around trying to figure out how to do things—if you actually know the framework and you build sites with it regularly—it’s remarkably pleasant from a code perspective. The main problem with Drupal is the learning curve. It’s much easier to get started writing, say, a Laravel app. But for the narrow case where you need a heavy-duty content management system with features like multilingual and robust cache integration, and you’re willing to put in the time learning it, Drupal is not a miserable experience. It’s actually good software.
I've heard that a lot, but my gripe with modern PHP is what's the hook? What feature does it offer that other scripting languages don't?
- Can you use the same rendering logic on client and server like JavaScript?
- Does it have the performance of Java or C# or Go?
- Does it allow for expressive DSLs like Ruby?
- Does it have an extensive, cutting edge ML ecosystem like Python?
Back in 2010, PHP's stand out features were very straightforward installation, good support for templating, and a large collection of C library wrappers (even if the interfaces were a bit raw). Those hooks were compelling enough to make people put up with the PHP4 core language.
But other languages have caught up on those three points, which leaves modern PHP utterly unremarkable. It doesn't have any feature that stands out enough to make me want to switch back.
The appeal of something like PHP these days is not that it has any particularly unique features, but that it is ubiquitous, has withstood the test of time (meaning it's relatively bug-free), is well supported (meaning it won't disappear any time soon), and is relatively easy to find developers for. Those features alone make it a contender for projects that don't need a specialized language.
> What feature does it offer that other scripting languages don't?
It has pretty much the best type support of all other similar languages (typescript is a different category). It also has the best implementation of class-based object oriented features (interfaces, classes, abstract classes, etc). These features are incredible for designing OO systems from scratch. The only big feature missing is generics.
- Kinda with templates, but I don't think this is a pro for JS tho
- Yes there is LLVM for example
- Have you heard of Laravel ?
- No, there is already python for that, use the right tool for the right job
Today PHP is a really really good language to get scalable apps up and running, moreover with frameworks like laravle that comes with tons of batteries included without tanking the performances.
But so so many people remains on the good old PHP dead trend just because it's easier to ignore all the great evolutions pf the past decades
That’s a perfectly valid argument. I’m not saying people shouldn’t make that argument. I’m just saying I don’t want to hear about mysql_real_escape_string.
To answer your question, I don’t know that modern PHP has big advantages over other modern languages. I’m not knocking on doors to spread the gospel of Symfony. But there’s no need to switch away from it either. And hosting is still easy and cheap. Prototyping your product as a Laravel or Symfony app is a reasonable choice.
My problem with php is that I’ve never seen modern php with types and tooling. I’ve seen a lot of php, and it was all awful 2012 style nightmare magic stuff lol.
Which is probably because php isn’t the top choice for new web based projects anymore. I have nothing against modern php, but old php causes me lots of pain, and that’s the only php I’ve ever known!
> It’s a modern language with types and tooling and package management.
Last I used Php (v4 to v8), it had type hinting, which was fine but I think its going to become harder for newcomers to approach as there stronger and stronger types, which is what made Php so special to begin with IMHO.
I get your point but I disagree with your timeline. 2012 was already past 5.3 which was a long-lived version with most of the quirks of early 5 fixed.
There was a lot of what people call modern PHP, basically just without the types. I'd say the PHP 4 days are the darker ages that most people reference, but maybe your experience in 2012 was like 2007ish. (TLDR: If you found it fine in 2012 it's probably still fine in 2025, but I don't see the huge wins. I stopped using it for reasons other than "dislike").
I picked 2012 because that’s when the claw hammer discourse was happening, but I agree with you. You could write pretty nice-looking PHP by 2012, and a lot of people did. The claw hammer thing was itself looking back at PHP from several years before.
Can not be emphasized enough imo. The amount of absolute ridiculous levels of pain instigated by expecting a core code loop to run -forever- and doing so well while being written for some web project or other is just too much to fathom. Just use PHP and serve the request. Then let it die. Then serve a new request.
It‘s called „shared nothing“. Also makes scaling easier and you can restart processes anytime without impact, because every request starts at zero anyway.
One of my biggest issues with php was the number of imports and file reads involved. It made running something like wordpress _really_ slow on slow disks or over nfs. I don't remember apcu or opcache helping much for that because I think it still did a stat on every file iirc.
For single-file php apps or just not using a big framework, it's not really a problem.
And it’s not a joke, PHP is actually the most secure runtime environment out there for web hosting, PRECISELY because of the shared-nothing architecture.
Faster runtimes exist, like Swoole and recently FrankenPHP, to do evented programming like Node JS. But let me tell ya — you risk all kinds of leaks, both of unfreed memory and of secrets, across requests. It ain’t worth it most of the time!
Agree that it’s good to get the certainty of zero memory leaks (assuming there’s no associated bugs in apache) but it’s not that hard to write code that doesn’t cause memory leaks for stateful apps as long as you are able to follow certain simple principles and avoid bugs in the third party libs you use.
I don't think it can be emphasised enough how big of a deal the ease of deploying applications written in these languages is. The fact you can just upload the files with FTP, SSH, by pulling them from version control, etc makes learning so much easier than it'd be otherwise, and really speeds up deployment for software using these languages.
Like, this genuinely might be one of the big reasons that scripts like WordPress, MediaWiki and XenForo still use PHP. The people installing these things don't have to be technically minded in the slightest, and can get their sites running on a 5 quid a year shared hosting service without the need to understand the command line, shell scripting, containers, server management, etc.
Is it secure? Probably not. Is it best practice? No. But you can test your changes near instantaneously, and it takes like 30 seconds to get set up. Ease of use is huge.
I often reach for PHP or JS, because anything more seems like over-engineering a simple problem. I'm usually looking to make simple, quick, internal tools that just run without much maintenance or support. PHP has been perfect for this. A lot of them are just single files and run for years without me doing a thing.
Over the last few years, I've found that most sites clients want can be built with static site generators and JavaScript. PHP is also great and easily hosted! But most times when there's a sprinkling of dynamism needed, it's OK if its happens at build/run time rather than when the page is rendered on a seever. This leads to faster page load and less to worry about security-wise. No shade! I've just been finding this has lead to good outcomes for me.
You mean to say some basic company site, blog or photo gallery that only gets updated once/twice a month, with zero dynamic content otherwise doesnt need a whole LAMP stack?
Honestly though with GH/CF pages type hosting and how simple static sites can be its a direction I'm ever thankful things have been moving. Just seems so much less painful for those who arent here to be security experts and just want a bloody site that 'just works'
Your static site generator can generate PHP instead of html and have some server-side dynamism sprinkled in your mostly static site, same way that generating JS can sprinkle some client side dynamism.
No clue how relevant they are today, but server side includes (SSI) solves the problem of wanting a _mostly_ static page with a little bit of dynamic content in it.
When I started https://github.com/Qbix/Platform over a decade I go I went with PHP for most request handling and Node.js for optional realtime handling (delivering messages over websockets, delivering notifications to devices etc)
And I have never regretted it. PHP powers 80% of all web sites in the world, still today! And it is the only language and runtime out there that is shared-nothing for web serving. Eliminates all kinds of leaks, including of memory, and secrets etc.
And with strict types and Psalm used right, I’d be happy to show it to anyone. The OO paradigm in general always has its valid criticism but modern PHP written correctly for its usual problem domains is perfectly fine actually it’s great at what it does.
...but you have got working code and a nice refactoring job where you do everything to the agreed on coding standards, learn a bit from your colleagues in the peer review and end up with something that is done the right way that you can take pride in.
Readit News
But at the same time, you run into the same problems that you often see with C++. Yes, there's a clean, semi-modern dialect of the language that has 80% of what you'd ideally want. And 80% is often more than enough for practical engineering purposes. But the actual project you get hired to work on may not be written in that cleaner, modern dialect. The last C++ project I cracked open had gone almost 20 years since its last serious update. It wasn't terrible. But wow, did it take a lot of very tricky code to accomplish anything before boost and TR1 became popular.
And old PHP was one of the worst languages ever invented: the core C code was hopelessly insecure (I had to read it for a client during the dotcom boom), the database APIs were different for every single database (and all of them made SQL injection techniques too easy), the default configuration allowed hostile users to inject global variable values using CGI parameters, and I could go on for a week. Yes, I saw some ugly stuff in other languages during the dotcom boom. But ancient PHP was often on a whole other level.
And when a language's history includes that much ugliness, you need to be very careful about old production code bases. Maybe you get a nice Symfony app! Buy maybe you get mixed HTML/PHP/SQL with a hundred security holes inherent in the APIs being used.
I haven't seen too many PHP codebases in the past decade, but every one has been full of a mix of commits that are beautiful, clean, functional code... and just the worst mishmash of garbage I've ever seen.
PHP might be fine, but I'm still not sure if I'm ready to work with other PHP developers.
Had this at my last job where I wrote PHP full time for two years. There were so many bugs caused by things that PHP has since remedied. I updated everything we could and it was huge step up (the available linting and static analysis tools are very solid), but there's still some deep, dark legacy code there that no one wanted to touch. Hell, a good part of my problem with that code base was actually because of Apache and mod_php.
If you have a fresh PHP code base, it's not that bad anymore. It wouldn't be my first pick, but definitely not my last.
Edit: I never got to work with Laravel, but I've played around independently and read their docs and it seems like a good dev experience.
I have recently had to delve in PHP and it was much better and more mature than what people painted it to be 10+ years ago.
A night and day difference.
Jira gave me the same experience. I hated it remembering the 2020 times, yet going back to it now...I actually liked it way more than the alternatives.
- Can you use the same rendering logic on client and server like JavaScript?
- Does it have the performance of Java or C# or Go?
- Does it allow for expressive DSLs like Ruby?
- Does it have an extensive, cutting edge ML ecosystem like Python?
Back in 2010, PHP's stand out features were very straightforward installation, good support for templating, and a large collection of C library wrappers (even if the interfaces were a bit raw). Those hooks were compelling enough to make people put up with the PHP4 core language.
But other languages have caught up on those three points, which leaves modern PHP utterly unremarkable. It doesn't have any feature that stands out enough to make me want to switch back.
It has pretty much the best type support of all other similar languages (typescript is a different category). It also has the best implementation of class-based object oriented features (interfaces, classes, abstract classes, etc). These features are incredible for designing OO systems from scratch. The only big feature missing is generics.
- Yes there is LLVM for example
- Have you heard of Laravel ?
- No, there is already python for that, use the right tool for the right job
Today PHP is a really really good language to get scalable apps up and running, moreover with frameworks like laravle that comes with tons of batteries included without tanking the performances. But so so many people remains on the good old PHP dead trend just because it's easier to ignore all the great evolutions pf the past decades
To answer your question, I don’t know that modern PHP has big advantages over other modern languages. I’m not knocking on doors to spread the gospel of Symfony. But there’s no need to switch away from it either. And hosting is still easy and cheap. Prototyping your product as a Laravel or Symfony app is a reasonable choice.
Which is probably because php isn’t the top choice for new web based projects anymore. I have nothing against modern php, but old php causes me lots of pain, and that’s the only php I’ve ever known!
Last I used Php (v4 to v8), it had type hinting, which was fine but I think its going to become harder for newcomers to approach as there stronger and stronger types, which is what made Php so special to begin with IMHO.
There was a lot of what people call modern PHP, basically just without the types. I'd say the PHP 4 days are the darker ages that most people reference, but maybe your experience in 2012 was like 2007ish. (TLDR: If you found it fine in 2012 it's probably still fine in 2025, but I don't see the huge wins. I stopped using it for reasons other than "dislike").
Deleted Comment
* resource leaks are non-existent
Can not be emphasized enough imo. The amount of absolute ridiculous levels of pain instigated by expecting a core code loop to run -forever- and doing so well while being written for some web project or other is just too much to fathom. Just use PHP and serve the request. Then let it die. Then serve a new request.
For single-file php apps or just not using a big framework, it's not really a problem.
What if you need any kind of in-memory cache? Or in general, any kind of application maintaining state, for, say, performance reasons?
And it’s not a joke, PHP is actually the most secure runtime environment out there for web hosting, PRECISELY because of the shared-nothing architecture.
Faster runtimes exist, like Swoole and recently FrankenPHP, to do evented programming like Node JS. But let me tell ya — you risk all kinds of leaks, both of unfreed memory and of secrets, across requests. It ain’t worth it most of the time!
https://www.php.net/manual/en/install.fpm.configuration.php#...
Like, this genuinely might be one of the big reasons that scripts like WordPress, MediaWiki and XenForo still use PHP. The people installing these things don't have to be technically minded in the slightest, and can get their sites running on a 5 quid a year shared hosting service without the need to understand the command line, shell scripting, containers, server management, etc.
Is it secure? Probably not. Is it best practice? No. But you can test your changes near instantaneously, and it takes like 30 seconds to get set up. Ease of use is huge.
Honestly though with GH/CF pages type hosting and how simple static sites can be its a direction I'm ever thankful things have been moving. Just seems so much less painful for those who arent here to be security experts and just want a bloody site that 'just works'
And I have never regretted it. PHP powers 80% of all web sites in the world, still today! And it is the only language and runtime out there that is shared-nothing for web serving. Eliminates all kinds of leaks, including of memory, and secrets etc.
PS: This was the early PHP framework that the platform grew out of: https://www.reddit.com/r/webdev/s/hETCmkpWFW and this is how long ago I posted on HN about it: https://news.ycombinator.com/item?id=2464112 !